Insider Threat Awareness: Defend your business from unforeseen harm
From 2018 to 2020, the damage from insider threats increased to $11.45 million and incident frequency rose by 47%. Fortunately, there are measures you can enact to prevent the theft and extortion of company assets. With September being Insider Threat Awareness Month, we consolidated resources and outlined details of how to keep your business safe from unexpected threats.
What is an insider threat?
An insider is any person with access to or knowledge of company resources, equipment, and systems. Many times, these are employees, but this can be anyone who has network access or sensitive information such as company strategy and market forecasts. An insider becomes a threat when they use these resources to perform intentional—or even unintentional—harm to the company or its people. This includes espionage, sabotage, and release of confidential information, but even minor security faux pas such as clicking a malicious link in an email are included.
Types of Insider Threats: From seeking revenge to everyday errors
While the Cybersecurity and Infrastructure Security Agency (CISA) details several types of insider threats, some of the most notable are:
- Unintentional threats
- Intentional threats
- Collusive threats
Unintentional threats are common carelessness, innocent mistakes, or even laziness that result in simple security malpractices. These types of threats are often back-of-mind, like delaying security updates on company systems or accidentally clicking on a malicious link in a phishing email. From 2015 to 2021, the cost of phishing attacks rose from $3.8 million to $15.1 million. Incidents such as these underscore the importance of proper security training, enforcement, and incentive.
Intentional threats are more popularly feared as they're typically perpetrated by a "malicious insider." Cybersecurity and Infrastructure Security Agency (CISA) informs that intentional threats are normally performed by vengeful individuals due to conditions like lack of recognition or recent termination. These cases can often include misuse of resources, unauthorized release of information, or even destruction of company equipment. This type of threat cost Cisco $2.4 million after an employee purposefully deleted 456 virtual machines from their infrastructure.
Collusive threats involve more than one member and aren't always contained within the company. Insiders can collude with other insiders, cybercriminals, or even competitors to enact malicious motivations. Common consequences this causes businesses are fraud, theft, and espionage in any combination. Collusive cases with insider accomplices have been shown to occur unnoticed for much longer, including one case that remained undiscovered for nearly ten years.
Companies can’t function without employees and/or contractors, so some form of insider threat is inevitable. Particular actions and changes in behavior may signify an insider threat is on the rise.
Insider Threat Indicators: When does an insider become a threat?
Understanding the first signs of insider threats begins with differentiating between malicious and non-malicious behaviors that harm a business. As for threats with malicious intent, Security Magazine outlines some of the following as causes for suspicion:
- Sudden apathy towards work
- Inexplicable late nights in the office
- Sudden increases in wealth
- Request or access to irrelevant company resources
Be mindful that some of these behaviors align with innocuous causes and are not by themselves an indicator of foul play. For example, the lackluster employee could merely be exhausted from issues in their personal life.
Many common forms of insider threats are inadvertent and caused by an unawareness or complacency in employees—like Dave who always ignores the security policy memos or Susie who always needs to be hounded to update her password. In 2019, not only did human error account for 24% of data breaches, but it also required an average of 224 days and $3.5 million to recover.
As a general rule, employees should only be accessing records, programs, or resources that are necessary for their jobs. It's incredibly important to place preventative measures in your business model. Prevention is key, as remediation of insider threats is far more cumbersome (and can be costly).
Preventing Insider Threats: How can I safeguard my company?
An ounce of prevention is worth a pound of cure when it comes to controlling the damage insider threats can cause. The National Insider Threat Task Force (NITTF) compiled educational materials on insider threat training including case studies, instructor-led courses, and even an interactive game. These free materials also include essays on policy proposals, risk assessment for work-from-home office models, and mitigating threats by eliminating cultural bias.
We've also taken some of CISA's recommendations for mitigating threats and pieced together tips for small and large businesses in the following sections.
For large enterprises
CISA recommends looking into the Guidelines for Establishing an Insider Threat Program proposed by the National Insider Threat Task Force (NITTF):
- Designate a senior official
- Form an insider threat working group
- Establish governance and publish insider threat policy
- Implement a formal training and awareness program
- Create an insider threat program office
Coordinating all these tasks together is a herculean effort, but can bear forth incredible rewards in the form of savings. Even if you can't implement all these points, scaling these guidelines to fit your need would be in your best interest.
For example, when creating a voluntary, internal committee to specialize as threat monitors, sizing is always flexible. The committee would only need one senior official, two subordinates, and a bi-weekly meeting. Incentivizing employees to join could be as simple as scheduling the meeting to end at 4:30 PM and excusing committee members from the rest of their workday. Another option is to designate a trusted employee, like an intern, to create and send out threat mitigation policy newsletters. Balance what works for your business and reap the benefits.
For small businesses
Unlike larger enterprises, small businesses may not have enough hands or time for a full committee. CISA's principles of threat mitigation are still applicable, however. They recommend that businesses instill a company culture of protection and support, identify and safekeep valuables like physical access devices or confidential records while respecting employee rights/privacy, and practice awareness by evolving organization policies as needed. This will require adopting a cybersecurity education agenda for insiders to avoid risks using tactics like:
Security education is vital to protect against the consequences of unintentional insider threats, especially for those with a remote workforce. Malwarebytes detailed that 44% of companies in 2020 with a remote workforce admitted to having insufficient security training despite ransomware demands spiking upwards 43% in 2020 Q4.
Employees should feel responsible but not surveilled. Inspiring a safe and secure workplace will require consistency at all levels, but incorporating security guidelines and tools for proper boundaries can save a lot of headaches, as well as the bottom line.
Preventing insider threats with policies and tools
In general, all security policies should center their guidelines on the principle of least privilege (PoLP), meaning that no insider is given access to more resources than what's necessary to fulfill their responsibilities.
Organizations with a significant number of employees benefit from some sort of identity and access management (IAM) software—such as Microsoft Azure Active Directory, Amazon Web Services Identity and Access Management, and others—to authorize and manage access to specific department applications. For example, the accounting department will have access to the company’s QuickBooks software, but may not have permissions to look at engineering's JIRA workflows.
Businesses of all sizes can benefit from employing general security best practices like password policies, multi-factor authentication, and mobile device management as these are some of the most effective ways to lock down the office. Even implementing simple software like free password managers can drastically boost security for all company accounts. Combined with network policies like segmenting and web content filtering, these types of tools will inhibit both internal and external threats.
No matter how much training companies implement, human error is inevitable. Adopting a simple, effective safety net for when human error occurs is as easy as adding software solutions like anti-malware, but bear in mind that remote workforces will require extra levels of protection.
September 2021 is insider threat awareness month: how will you protect your business?
There are many resources online, posted by Forbes Magazine and CISA, to assist businesses of all sizes in mitigating the risk for internal threat attacks. As outlined in Minim's blog, important steps for prevention include:
- Be watchful for suspicious behavior
- Create resources to educate employees of security risks
- Communicate and enforce best practices
- Layer software solutions to bolster security
Even unintentional threats can cost companies up to $1.5 million. By abiding by these principles, companies can protect themselves from unwelcome surprises to their bottom line.